The Fault in Our Password System

In the wake of Heartbleed, tech companies offered up tips to create better passwords. But what if passwords just aren't a good way to protect data?


The discovery of the Heartbleed bug last week threw the Internet into chaos. In the wake of the bug, every tech site, blog and service offered up fresh tips to create better passwords to protect accounts. But the problem isn’t really with the strength of the password; it may just be the case that passwords are not a good way to protect data.

According to BuzzFeed writer Charlie Warzel, passwords are a holdover from the younger Internet:

It’s a technology built for an Internet that no longer exists — one that didn’t fully realize and anticipate now-habitual activities like online banking and commerce. And as our digital lives continue to merge and become indistinguishable from our physical ones, passwords have never been more common, important or vulnerable.

Merging our online and offline lives through smartphones has been called both a boon and a curse for passwords. While it’s true that two-step authorization through text messages is a good step toward security, tying your phone to an account could be pretty disastrous in the event of a data leak. Your phone number will get out, and it will be tied back to your name.

In truth, passwords just aren’t good at securing data. The traditional wisdom states that your passwords — which should be unique for each site or service — should contain numbers, special characters, upper and lower case letters, to be secure. But not only are those passwords hard to remember, they’re not all that hard to crack. Hackers are onto the most popular password tricks, according to Lifehacker.

Changing the authentication methods to biometrics could be even worse, according to 1Password engineer Jeffrey Goldberg. “Imagine a password that you could never change, and that anyone within listening, photographing or fingerprint lifting distance could copy. Your voice may be your passport, but it is a lousy secret” he told BuzzFeed.

While password-encryption software has existed for a while, it’s likely to boom in popularity because of Heartbleed. But when the solution becomes one where no one is allowed to know the password, not even the user, it’s clear that we’re working with a heavily flawed system. If you’re worried about your passwords, check their strengths, change them frequently or just encrypt your own passwords if the tech companies won’t.

Publish date: April 15, 2014 © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT